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Abstract

   This document provides specific direction to IANA as to the Resource
   Public Key Infrastructure (RPKI) objects it should issue.

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc6491.

Copyright Notice

   Copyright (c) 2012 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.
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1.  Introduction

   "An Infrastructure to Support Secure Internet Routing" [RFC6480]
   directs IANA [RFC2860] to issue Resource Public Key Infrastructure
   (RPKI) objects for which it is authoritative.  This document
   describes the objects IANA will issue.  If IANA is directed to issue
   additional RPKI objects in future, this document will be revised and
   a new version issued.

   The signed objects described here that IANA will issue are the
   unallocated, reserved, special use IPv4 and IPv6 address blocks, and
   the unallocated and reserved Autonomous System numbers.  These number
   resources are managed by IANA for the IETF; thus, IANA bears the
   responsibility of issuing the corresponding RPKI objects.  The reader
   is encouraged to consider the technical effects on the public routing
   system of the signed object issuance proposed for IANA in this
   document.

   This document does not deal with BGP [RFC4271] routing systems, as
   those are under the policy controls of the organizations that operate
   them.  Readers are directed to "Local Trust Anchor Management for the
   Resource Public Key Infrastructure" [TA-MGMT] for a description of
   how to locally override IANA issued objects, e.g., to enable use of
   unallocated, reserved, and special use IPv4 and IPv6 address blocks
   in a local context.
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   The direction to IANA contained herein follows the ideal that it
   should represent the ideal technical behavior for registry and
   related registry actions.

2.  Requirements Notation

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

3.  Required Reading

   Readers should be familiar with the RPKI, the RPKI repository
   structure, and the various RPKI objects, uses, and interpretations
   described in the following: [RFC6480], [RFC6487], [RFC6482],
   [RFC6493], [TA-MGMT], [RFC6483], [RPKI-USE], [RFC6484], and
   [RFC6486].

   Note: The addresses used in this document are not example addresses;
   therefore, they are not compliant with [RFC3849], [RFC5735], and
   [RFC5771].  This is intentional, as the practices described in this
   document are directed to specific instances of real world addresses.

4.  Definitions

   Internet Number Resources (INR): The number identifiers for IPv4
   [RFC0791] and IPv6 [RFC2460] addresses, and for Autonomous Systems
   (ASes).

   IANA: Internet Assigned Numbers Authority (a traditional name, used
   here to refer to the technical team making and publishing the
   assignments of Internet protocol technical parameters).  The
   technical team of IANA is currently a part of ICANN [RFC2860].

   RPKI: Resource Public Key Infrastructure.  A Public Key
   Infrastructure designed to provide a secure basis for assertions
   about holdings of Internet number resources.  Certificates issued
   under the RPKI contain additional attributes that identify IPv4,
   IPv6, and Autonomous System number resources [RFC6480].

   ROA: Route Origination Authorization.  A ROA is an RPKI object that
   enables the holder of the address prefix to specify an AS that is
   permitted to originate (in BGP) routes for that prefix [RFC6482].

   AS 0 ROA: A ROA containing a value of 0 in the ASID field.
   "Validation of Route Origination Using the Resource Certificate
   Public Key Infrastructure (PKI) and Route Origination Authorizations
   (ROAs)" [RFC6483] states "A ROA with a subject of AS 0 (AS 0 ROA) is
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   an attestation by the holder of a prefix that the prefix described in
   the ROA, and any more specific prefix, should not be used in a
   routing context."

   "Not intended to be (publicly) routed": This phrase refers to
   prefixes that are not meant to be represented in the global Internet
   routing table (for example 192.168/16 [RFC1918]).

5.  Reserved Resources

   Reserved IPv4 and IPv6 resources are held back for various reasons by
   IETF action.  Generally, such resources are not intended to be
   globally routed.  An example of such a reservation is 127.0.0.0/8
   [RFC5735].  See Appendixes A and B for IANA reserved resources.

   IANA SHOULD issue an AS 0 ROA for all reserved IPv4 and IPv6
   resources not intended to be routed.  The selection of the [RFC2119]
   terminology is intentional as there may be situations where the AS 0
   ROA is removed or not issued prior to an IANA registry action.  It is
   not appropriate to place IANA into a situation where, through normal
   internal operations, its behavior contradicts IETF standards.

   There are a small number of reserved resources that are intended to
   be routed, for example 192.88.99.0/24 [RFC3068].  See Appendixes A
   and B for IANA reserved resources.

   IANA MUST NOT issue any ROAs (AS 0 or otherwise) for reserved
   resources that are expected to be globally routed.

6.  Unallocated Resources

   Internet Number Resources that have not yet been allocated for
   special purposes [RFC5736], to Regional Internet Registries (RIRs),
   or to others are considered as not intended to be globally routed.

   IANA SHOULD issue an AS 0 ROA for all Unallocated Resources.  The
   selection of the [RFC2119] terminology is intentional as there may be
   situations where the AS 0 ROA is removed or not issued prior to an
   IANA registry action.  It is not appropriate to place IANA into a
   situation where, through normal internal operations, its behavior
   contradicts IETF standards.

7.  Special Purpose Registry Resources

   Special Registry Resources [RFC5736] fall into one of two categories
   in terms of routing.  Either the resource is intended to be seen in
   the global Internet routing table in some fashion, or it isn't.  An
   example of a Special Registry Resources INR that is intended for
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   global routing is 2001::/32 [RFC4380].  An example of an INR not
   intended to be seen would be 2001:002::/48 [RFC5180].

   IANA MUST NOT issue any ROAs (AS 0 or otherwise) for Special Purpose
   Registry Resources that are intended to be globally routed.

   IANA SHOULD issue an AS 0 ROA for Special Purpose Registry Resources
   that are not intended to be globally routed.

8.  Multicast

   Within the IPv4 multicast [RFC5771] and IPv6 multicast [RFC4291]
   registries there are a number of Multicast registrations that are not
   intended to be globally routed.

   IANA MUST issue an AS 0 ROA covering the following IPv4 and IPv6
   multicast INRs:

   IPv4:
           - Local Network Control Block
              224.0.0.0 - 224.0.0.255 (224.0.0/24)
           - IANA Reserved portions of RESERVED
              224.1.0.0-224.1.255.255 (224.1/16)
           - RESERVED
              224.5.0.0-224.251.255.255 (251 /16s)
              225.0.0.0-231.255.255.255 (7 /8s)

   IPv6:
           - Node-Local Scope Multicast Addresses
           - Link-Local Scope Multicast Addresses

   IANA MUST NOT issue any ROAs (AS 0 or otherwise) for any other
   multicast addresses unless directed by an IESG-approved Standards
   Track document with an appropriate IANA Considerations section.

9.  Informational Objects

   One informational object that can exist at a publication point of an
   RPKI repository is the Ghostbusters Record [RFC6493].

   IANA MUST issue a ghostbusters object appropriate in content for the
   resources IANA maintains.

10.  Certificates and Certificate Revocation Lists (CRLs)

   Before IANA can issue a ROA, it MUST first establish an RPKI
   Certification Authority (CA) that covers unallocated, reserved, and
   special use INRs.  A CA that covers these INRs MUST contain RFC 3379
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   extensions [RFC3779] for those corresponding number resources in its
   certificate.  This CA MUST issue single-use end-entity (EE)
   certificates for each ROA that it generates.  The EE certificate will
   conform to the Resource Certificate Profile [RFC6487] and the
   additional constraints specified in [RFC6482].  IANA MUST maintain a
   publication point for this CA's use and MUST publish manifests
   [RFC6486] (with its corresponding EE certificate) for this
   publication point.  IANA MUST issue a CRL under this CA certificate
   for the EE certificates noted above.  All objects issued by this CA
   will conform to the RPKI Certificate Policy [RFC6484].

11.  IANA Considerations

   This document directs IANA to issue, or refrain from issuing, the
   specific RPKI objects described here for the current set of reserved,
   unallocated, and special registry Internet Number Resources.
   Further, IANA MUST notify all other INR registries that RPKI objects
   have been issued for the Internet Number Resources described in this
   document to avoid the potential for issuance of duplicate objects
   that might confuse relying parties.

12.  Security Considerations

   This document does not alter the security profile of the RPKI from
   that already discussed in SIDR WG documents.
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Appendix A.  IANA Reserved IPv4 Address Blocks

   This list of Address Space and RFCs was correct at the time of
   writing this document.

   +--------------------+------------------------------------+---------+
   |       Prefix       |                 RFC                |   TBR   |
   +--------------------+------------------------------------+---------+
   |      0.0.0.0/8     |     [RFC1122], Section 3.2.1.3     |    No   |
   |     10.0.0.0/8     |              [RFC1918]             |    No   |
   |     127.0.0.0/8    |     [RFC1122], Section 3.2.1.3     |    No   |
   |   169.254.0.0/16   |              [RFC3927]             |    No   |
   |    172.16.0.0/12   |              [RFC1918]             |    No   |
   |    192.0.0.0/24    |              [RFC5736]             | Various |
   |    192.0.2.0/24    |              [RFC5737]             |    No   |
   |   192.88.99.0/24   |              [RFC3068]             |   Yes   |
   |   192.168.0.0/16   |              [RFC1918]             |    No   |
   |    198.18.0.0/15   |              [RFC2544]             |    No   |
   |   198.51.100.0/24  |              [RFC5737]             |    No   |
   |   203.0.113.0/24   |              [RFC5737]             |    No   |
   |     224.0.0.0/4    |              [RFC5771]             |    No   |
   |     240.0.0.0/4    |        [RFC1112], Section 4        |    No   |
   | 255.255.255.255/32 |      [RFC0919], Section 7 and      |    No   |
   |                    |        [RFC0922], Section 7        |         |
   +--------------------+------------------------------------+---------+

      TBR: To Be Routed, the intention of the RFC pertaining to the
           address block.

                     Table 1: IPv4 Address Blocks and
                 the RFCs that Direct IANA to Reserve Them
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Appendix B.  IANA Reserved IPv6 Address Blocks

   This list of Address Space and RFCs was correct at the time of
   writing this document.

                   +----------------+-----------+-----+
                   |     Prefix     |    RFC    | TBR |
                   +----------------+-----------+-----+
                   |    0000::/8    | [RFC4291] |  No |
                   |    0100::/8    | [RFC4291] |  No |
                   |    0200::/7    | [RFC4291] |  No |
                   |    0400::/6    | [RFC4291] |  No |
                   |    0800::/5    | [RFC4291] |  No |
                   |    1000::/4    | [RFC4291] |  No |
                   |    4000::/3    | [RFC4291] |  No |
                   |    6000::/3    | [RFC4291] |  No |
                   |    8000::/3    | [RFC4291] |  No |
                   |    A000::/3    | [RFC4291] |  No |
                   |    C000::/3    | [RFC4291] |  No |
                   |    E000::/4    | [RFC4291] |  No |
                   |    F000::/5    | [RFC4291] |  No |
                   |    F800::/6    | [RFC4291] |  No |
                   |    FC00::/7    | [RFC4193] |  No |
                   |    FE00::/9    | [RFC4291] |  No |
                   |    FE80::/10   | [RFC4291] |  No |
                   |    FEC0::/10   | [RFC3879] |  No |
                   |    FF00::/8    | [RFC4291] |  No |
                   | 2001:0002::/48 | [RFC5180] |  No |
                   |  2001:10::/28  | [RFC4843] |  No |
                   +----------------+-----------+-----+

      TBR: To Be Routed, the intention of the RFC pertaining to the
           address block.

                     Table 2: IPv6 Address Blocks and
                 the RFCs that Direct IANA to Reserve Them
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